Confirmed evidence of cyber-warfare using GPS history data

Question

In its recent policy, the US Department of Defense has prohibited the use of GPS-featured devices for its overseas personnel.

They explain it with a theory that commercial devices like smartphones or fitness trackers can store the geo-position (GPS) data along with the device owner's personal information on third-party servers, and this information can leak to the enemies, which, in turn, would “potentially create unintended security consequences and increased risk to the joint force and mission.”

Although it's a nice theory, I'd like to know whether this policy is just a theory or it has been based on some confirmed incidents of such use of cyber-warfare in an ongoing war.
Hence the question: Is there any confirmed evidence of actual use of cyber-warfare exploiting the vulnerable GPS data? If so, what are they?

_{I have initially asked this question on Politics.SE, but was suggested to ask it here instead.}

I would be hesitant to call this "exploiting GPS vulnerabilities". — forest, Aug 08 '18 at 00:56
The Netherlands have recently forbidden the usage of certain apps by military personel for exactly this reason. Too easy to figure out where the units were located. While I can't say it has been used to target anyone yet, it's definitely a major concern for multiple countries so far. — Mast, Aug 08 '18 at 06:38
Have a read ;-) https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases Shows the layout of some army bases (US in this article), as created by joggers. — rkeet, Aug 08 '18 at 07:02
One can easily put spyware in such device to leak the exact location of the victim. A household automated cleaner can do the navigation, so it is not difficult to make one camouflage autonomous drone/vehicle homing to the person leaking the whereabout. E.g. secret meeting place, etc. — mootmoot, Aug 08 '18 at 09:57
It's not even GPS data. It's location data. The fact that in some cases it was provided by a GPS receiver is not really relevant to anything! — Lightness Races in Orbit, Aug 08 '18 at 10:53
For average consumers: be aware that your Google account stores your location history since you first bought an Android phone, unless you explicitly turned the feature off. — user253751, Aug 08 '18 at 22:38
Let's be clear on our terms. Tracking people from their fitness app publishing their locations and dates is not "cyber-warfare". As to whether's it's espionage, that would hinge on whether Strava users gave informed consent. It has the potential to be used for espionage, but then so do lots of things. — smci, Aug 11 '18 at 00:03

score 172 · Accepted Answer · edited Jun 16 '20 at 09:49

172

Confirmed cases? Yes, at least two. One is Strava, and the other is Polar.

When Strava updated its global heat map, it showed some areas in supposed desert areas full of activity. Who would go jogging, at night, on the desert? What about US soldiers?

An interactive map posted on the Internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the locations and activities of soldiers at U.S. military bases, in what appears to be a major security oversight.

In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.

Using fitness trackers will allow the enemy to detect the place, extrapolate the number of soldiers, the patrol patterns and path, and even identify the soldiers. If you can identify someone that lives somewhere in Montana, and suddenly spent 4 months on Pakistan, you can bet he is a soldier. And using the pace and heart rate, you can even say how fit the person is.

The Polar leak was even worse:

With two pairs of coordinates dropped over any sensitive government location or facility, it was possible to find the names of personnel who track their fitness activities dating as far back as 2014.

The reporters identified more than 6,400 users believed to be exercising at sensitive locations, including the NSA, the White House, MI6 in London, and the Guantanamo Bay detention center in Cuba, as well as personnel working on foreign military bases.

The Polar API allowed anyone to query any profile, public or private, without any rate limit. The user ID was pretty easy to predict, and 650k+ user profiles were downloaded, several GB of data. Just ask, and Polar would give all.

The post shows lots of sensitive places (nuclear facilities, military bases, NSA headquarters, Guantanamo Bay facilities, among others) and could identify the users on those places, and even their home addresses, Facebook pages and personal pictures.

You don't need to think too much to realize the damage that can be done with all that information.

edited Jun 16 '20 at 09:49

Community

1

answered Aug 08 '18 at 00:46

ThoriumBR

51,983
13
131
149

2

Interesting. Are those several GB of data available for download now? – forest Aug 08 '18 at 00:48
3

They aren't available anymore. Polar suspended the Explore API. – ThoriumBR Aug 08 '18 at 00:51
101

I still consider these stories the absolute perfect example not only of how dangerous it is to share-by-default everything you do online and offline, but also how little thought people give to it in this increasingly connected age. It's really staggering. – Lightness Races in Orbit Aug 08 '18 at 10:54
17

I still remember how angry I was when Facebook started urging _children_ to report their locations and to identify who was with them. – WGroleau Aug 08 '18 at 12:12
3

These are both confirmed cases of obviously useful data leaking, but is there any evidence anybody had actually *used* it? (Which is what the OP actually asked for - OTOH these are *obviously* good justifications for the policy.) – Martin Bonner supports Monica Aug 08 '18 at 12:15
2

@LightnessRacesinOrbit and I find baffling the replies I got on politics when I asked "why americans care so little about their privacy?" – Federico Aug 08 '18 at 12:45
22

@MartinBonner you aren't expecting the Chinese military to post on their Twitter account something like "We used Polar Tracker data to discover home address from someone working at NSA, and hacked their home WiFi to infect their computers with exfiltrating malware". Right? – ThoriumBR Aug 08 '18 at 16:28
11

@MartinBonner Personally, I think the working assumption/hypothesis should be that it *has* been used, but that you simply don't know about it. – code_dredd Aug 08 '18 at 20:03
4

@ThoriumBR The API might be suspended, but that doesn't mean the data isn't available. If someone already downloaded it, they can make it available. – mbomb007 Aug 09 '18 at 15:07
@WGroleau Google: Don't be evil. Facebook: Don't even bother pretending we're not being evil. – Mason Wheeler Aug 09 '18 at 23:43
1

@MasonWheeler Google dropped that tagline long ago. – xxbbcc Aug 10 '18 at 15:38
2

`They aren't available anymore. Polar suspended the Explore API.` @ThoriumBR Not available to us plebes. It would be a mistake to assume nation-state rivals and other well-funded NGOs with an interest in such things don't have the data already. – HopelessN00b Aug 12 '18 at 01:41
I could ask around to see if it's out there, assuming it's not intentionally being hoarded. – forest Aug 15 '18 at 02:23

score 53 · Answer 2 · edited Aug 09 '18 at 12:12

Yes, exploitation of location data in combat: FancyBear Tracking Ukrainian artillery units

In short, Ukrainian artillery units used malware-infused app to compute shooting solutions for their D-30 122mm towed howitzer. It has been found that these units suffered suspiciously high losses.

Quoting more from the Crowdstrike report (emphasis mine):

From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.

The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.

Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.

Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.

Yaroslav Sherstuk must be horrified! I can only imagine how it would feel to have a nice little creation meant to help my countrymen get subverted to kill them like this. — Ruadhan2300, Aug 09 '18 at 14:36
That's one horrifying example, thanks. I found an article showing a simpler tactic, see [my answer](https://security.stackexchange.com/a/191354/9758) — Be Brave Be Like Ukraine, Aug 10 '18 at 18:39
Except the entire premise is based on grossly incorrect data; it's basically fake news. Read the update at the very top of the post: "...excluding the Naval Infantry battalion in the Crimea which was effectively captured wholesale, the Ukrainian Armed Forces lost between _15% and 20%_ of their pre-war D–30 inventory in combat operations.” Even then, that's a worthless number unless we are given comparison to other forces. — user71659, Aug 10 '18 at 20:10

score 14 · Answer 3 · edited Jun 16 '20 at 09:49

I've stumbled across this article. It assumes that the Russian army in Ukraine uses equipment capable of detecting the location of cellphones — not even necessarily GPS-enabled smartphones, just anything that uses standard cell operators (quite often compromised).

The Future Of Information Warfare Is Here — And The Russians Are Already Doing It

_{(highlight mine)}

So reports Army Col. Liam Collins in the August issue of ARMY magazine. Here’s how it works:

“The Russians are adept at identifying Ukrainian positions by their electrometric signatures,” writes Collins. One would expect that, but the thing that impressed me what came next.

“In one tactic, [Ukrainian] soldiers receive texts telling them they are ‘surrounded and abandoned.’
Minutes later, their families receive a text stating, ‘Your son is killed in action,’ which often prompts a call or text to the soldiers.
Minutes later, soldiers receive another message telling them to ‘retreat and live,’
followed by an artillery strike to the location where a large group of cellphones was detected.”

Short Message Type 0 has been used to that effect by police forces, so I am not surprised that it would be used in war. — 0xC0000022L, Aug 11 '18 at 20:19

score 12 · Answer 4 · answered Aug 10 '18 at 19:05

A Russian soldier on duty posted pictures automatically tagged with GPS data that showed he was in Ukraine, back when Russia was denying having troops there.

https://www.businessinsider.com/russian-soldier-ukraine-2014-7

Not directly involving combat, but definitely something his country would prefer to avoid.

score -3 · Answer 5 · answered Aug 13 '18 at 10:45

-3

In the early 2000's Hezbollah used several dark web sites in order to distribute media and propaganda. Intelligence agents discovered that most of the uploaded images/video still had embedded GPS meta-data, and used that to map out suspected terrorist hot spots.

The United States government declined to take action, citing the intel as "of questionable credibility". The Kremlin, however...

answered Aug 13 '18 at 10:45

Anon

11

6

... did what, exactly? – David Richerby Aug 13 '18 at 15:11

Confirmed evidence of cyber-warfare using GPS history data

5 Answers5